KB Article | Forcepoint Support

Notes & Warnings

Important The KB Articles provided may require you to login to https://support.forcepoint.com to view. If you do not have an account, please Create a Customer Account. If you have an account but cannot log in, Contact Support for assistance. 

Note This information only applies to Web deployments that connect with Active Directory.

Problem Description

If a user is getting blocked from websites they should be able to access, or are seeing pop ups asking for a login when going to websites, this may be a problem with identifying who they are so they get the right policy that allows those websites.

How to tell if someone isn't identified

When a user receives a block page, if you click "more information", then right click the category for the site showing, and use "View Frame Source" or "View Page Source", you can see the actual information from the block page to show who the Filtering Service thinks they are. If under "User Name" you see an LDAP path with their actual user information, the user is indeed identified, though make sure it’s the right user name. If you do not see LDAP information but instead just see the IP address, this means they are not identified.

For more detail including screen shots and an example of the user information, see How do block pages work?

You may also use Real-Time Monitor to see if a user name or IP address is present; an IP would mean not identified. If using multiple policy servers, ensure you have switched to the correct Policy Server that the user is going through for their filtering. For details, see Real-Time Monitor.

Some traffic may not have identification, such as Linux servers, cellphones, tablets and anything else that does not connect to Active Directory and will always display as an IP address.

Resolution

Determine Identification Method In Use

For instructions on how to locate the identification method in the deployment, see Determining Identification Method.

The Identification Methods covered in this article: This featured article references methods that involve Active Directory. Narrowing down which method is used will be vital for helping correct the problem. Multiple identification methods may be present in an environment, but one will override others. For example, IWA will be the primary source of identification if users are connecting via proxy while on-premises with IWA enabled, but DC Agent or Logon Agent might also be present on the Windows server.

Identification Methods and Troubleshooting

DC Agent (Windows based)

Configuration

Troubleshooting

DC Agent cannot retrieve user data after Windows update
This article is the most common problem with DC Agent providing no or intermittent identification for users. The "About the Hotfix" section is the same troubleshooting for DC Agent if on v8.4 or higher as well. If using v8.1 or older, the deployment must be upgraded in order to affect the fixes for DC Agent to have it function as expected. For information on upgrading, see Upgrade Centers for v7.8 to 8.x.

When using DC Agent, a user shows up as someone else and gets the wrong policy

This article explains why a user name may be incorrect, thus the wrong policy is applied. This affects environments where computers are shared, another user logged into the computer prior to the current user, or DHCP IP change happens during the 24 hour interval where a user is mapped. 

DC Agent not working properly since upgrading Active Directory
This article provides a list of what Active Directory version is supported per Forcepoint version. This information is also found in the System Requirements page for the version of Forcepoint software deployed.
 

Hybrid Identification (Web Cloud Hybrid only)

Configuration

Identification and authentication of hybrid users

Troubleshooting

Hybrid error message 3002: "Duplicate email address"
This article addresses a common failure to synchronize user data to the Cloud as the information is already present. 

Hybrid error message 3004: "Not Found For Modification or Deletion"
This article addresses a common failure to synchronize user data to the Cloud as the information has changed and needs to be removed.
 

IWA or Rule Based Authentication (Proxy based)

Configuration

Content Gateway user authentication

Troubleshooting

Failed to Join Domain
Common causes which are part of the setup documentation at Content Gateway user authentication:
  • Content Gateway cannot resolve the domain name
  • Content Gateway cannot resolve FQDN
  • System time isn't synced with Domain Controllers within 1 minute
  • Incorrect domain admin credentials (user name/password)
  • Password contains a space (Error: unable to join 2014 - authentication failed)
  • Ports not open with the Domain Controller: 88, 389, 445
Additional Failed to Join Domain errors and solutions: Authentication Prompts and other issues

Error: Clients may not be able to perform Kerberos authentication" displayed when joining the domain under IWA
This article is for the error message above in Content Gateway. This will not stop the join of IWA or Rule Based Authentication as NTLM communication will be used.

Kerberos and Integrated Windows Authentication in a load balanced environment
This article is for when a load balancer such as an F5 is in use in the environment and there is more than one proxy using IWA or Rule Based Authentication present. 

Authenticate or Identify Mac Users for User or Group Based Filtering
This article discusses the methods for identifying Mac, iPhone and iPad users in IWA and DC Agent environments. 

Users are prompted for credentials when using NTLM proxy authentication with Firefox
This article is for users with Firefox who are receiving authentication prompts. Unlike Internet Explorer and Chrome, Firefox does not necessarily use the settings in Internet Options.

IWA is prompting transparent proxied users for authentication 
This article is for users where Transparent Proxy (WCCP) is in use and authentication prompts happen, but they do not happen when explicitly proxied. Note: At the top of the article, the location of where to put the FQDN for explicit users (such as a PAC file) is present.

Article Feedback



Thank you for the feedback and comments.